.envrc

# shellcheck shell=bash
# load the user-specific envrc first, in this repo
if [[ -f .env ]]; then
  log_status "loading $(user_rel_path $PWD/.env)"
  dotenv .env
fi 

if [ -z "$VAULT_AUTH_GITHUB_TOKEN" ]; then
  PATH_TO_VAULT_AUTH_GITHUB_TOKEN="$HOME/.secrets/vault-auth-github-token"
  PATH_TO_VAULT_AUTH_GITHUB_TOKEN_PARENT_DIR="$HOME/.secrets"
  if [[ -d "${PATH_TO_VAULT_AUTH_GITHUB_TOKEN_PARENT_DIR}" && -f "${PATH_TO_VAULT_AUTH_GITHUB_TOKEN}" ]]; then
    log_status "vault: env-specific VAULT_AUTH_GITHUB_TOKEN is not set; loading from ${PATH_TO_VAULT_AUTH_GITHUB_TOKEN}..."
    export VAULT_AUTH_GITHUB_TOKEN=$(cat "${PATH_TO_VAULT_AUTH_GITHUB_TOKEN}" | tr -d '\n')
  else
    log_error "vault: VAULT_AUTH_GITHUB_TOKEN not set and no github token found at ${PATH_TO_VAULT_AUTH_GITHUB_TOKEN}"
    log_error "vault: fatal error, cannot continue. exiting now!"
    exit 2
  fi
fi

function auth_to_vault () {
  # auth against Vault if configured
  if has vault; then
    if [[ "$VAULT_ADDR" ]]; then
      log_status "vault: are we already authenticated?"
      vault token lookup -format=json > /dev/null && vault token renew -format=json > /dev/null
  
      if [[ $? -eq 0 ]]; then
        log_status "vault: re-authenticated with existing token!"
      else
        if [[ "$VAULT_ADDR" && "$VAULT_AUTH_GITHUB_TOKEN" ]]; then
          log_status "vault: fully re-authenticate, since our token could not be refreshed"
          vault login -method=github -no-print
          if [[ $? -eq 0 ]]; then
            log_status "vault: authenticated with new token!"
          else
            log_error "vault: could not authenticate with provided token!"
            log_status "vault: please open ${VAULT_ADDR} in your web browser and manually confirm your Github token works."
          fi
        else
          log_error "vault: VAULT_AUTH_GITHUB_TOKEN is not set. Many things are impossible without it."
        fi
      fi
    else
      log_error "vault: VAULT_ADDR is not set. Cannot login to vault."
    fi
  else
    log_error "ERROR: The vault CLI is not installed. Many things are impossible without it."
    log_error "ERROR: Install via brew (Homebrew) with: brew install vault"
  fi
}

function get_vault_kv() {
  vault_path=$1
  vault_key=${2:-value}
  log_status "vault: get kv ${vault_path}/${vault_key}"
  if [[ "$VAULT_ADDR" ]]; then
    VAULT_KV=$(vault kv get -field="${vault_key}" "${vault_path}")
    exit_code=$?
    if [ $exit_code -eq 2 ]; then
      log_status "vault: is likely unauthenticated, trying to re-auth now..."
      auth_to_vault

      # let's try that once again
      log_status "vault: get kv ${vault_path}/${vault_key}"
      VAULT_KV=$(vault kv get -field="${vault_key}" "${vault_path}")
    elif [ $exit_code -eq 1 ]; then
      log_error "vault: ERROR getting key/value: ${vault_path} / ${vault_key}"
    elif [ $exit_code -gt 2 ]; then
      log_error "vault: unknown exit code ${exit_code}. Please alert the ASICS Digital SRE Team."
    fi 
  fi
}